From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from eggs.gnu.org ([2001:4830:134:3::10]:55168)
	by lists.gnu.org with esmtp (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g1eKV-000187-Is
	for guix-patches@gnu.org; Sun, 16 Sep 2018 17:11:44 -0400
Received: from Debian-exim by eggs.gnu.org with spam-scanned (Exim 4.71)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g1eC6-0001mU-RG
	for guix-patches@gnu.org; Sun, 16 Sep 2018 17:03:03 -0400
Received: from debbugs.gnu.org ([208.118.235.43]:38094)
	by eggs.gnu.org with esmtps (TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.71) (envelope-from <Debian-debbugs@debbugs.gnu.org>)
	id 1g1eC6-0001mQ-N6
	for guix-patches@gnu.org; Sun, 16 Sep 2018 17:03:02 -0400
Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2)
	(envelope-from <Debian-debbugs@debbugs.gnu.org>) id 1g1eC6-00051N-Im
	for guix-patches@gnu.org; Sun, 16 Sep 2018 17:03:02 -0400
Subject: [bug#32674] [PATCH 0/1] Use gpgv and keybox files for 'guix refresh'
	& co.
Resent-Message-ID: <handler.32674.B32674.153713173419242@debbugs.gnu.org>
From: ludo@gnu.org (Ludovic =?UTF-8?Q?Court=C3=A8s?=)
References: <20180909204335.21400-1-ludo@gnu.org>
	<20180913162904.GA11458@jasmine.lan>
Date: Sun, 16 Sep 2018 23:02:04 +0200
In-Reply-To: <20180913162904.GA11458@jasmine.lan> (Leo Famulari's message of
	"Thu, 13 Sep 2018 12:29:04 -0400")
Message-ID: <87y3c1dulv.fsf@gnu.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: quoted-printable
List-Id: <guix-patches.gnu.org>
List-Unsubscribe: <https://lists.gnu.org/mailman/options/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=unsubscribe>
List-Archive: <http://lists.gnu.org/archive/html/guix-patches/>
List-Post: <mailto:guix-patches@gnu.org>
List-Help: <mailto:guix-patches-request@gnu.org?subject=help>
List-Subscribe: <https://lists.gnu.org/mailman/listinfo/guix-patches>,
	<mailto:guix-patches-request@gnu.org?subject=subscribe>
Errors-To: guix-patches-bounces+kyle=kyleam.com@gnu.org
Sender: "Guix-patches" <guix-patches-bounces+kyle=kyleam.com@gnu.org>
To: Leo Famulari <leo@famulari.name>
Cc: Vagrant Cascadian <vagrant@debian.org>, Mark H Weaver <mhw@netris.org>, 32674@debbugs.gnu.org

Hello,

Leo Famulari <leo@famulari.name> skribis:

> On Sun, Sep 09, 2018 at 10:43:35PM +0200, Ludovic Court=C3=A8s wrote:
>> Hello Guix,
>>=20
>> (Cc=E2=80=99ing people with expertise and interest in this=E2=80=A6)
>>=20
>> This patch changes (guix gnupg) so that it uses keyrings in the =E2=80=
=9Ckeybox=E2=80=9D
>> file format to store and read upstream public keys (instead of using the
>> user=E2=80=99s default keyring), and so that it uses =E2=80=98gpgv --key=
ring=E2=80=99 instead
>> of =E2=80=98gpg --verify=E2=80=99.
>>=20
>> =E2=80=98gpgv=E2=80=99 is specifically designed for use cases like softw=
are signature
>> verification against a keyring of =E2=80=9Ctrusted keys=E2=80=9D (it=E2=
=80=99s used by APT and
>> Werner Koch recommends it=C2=B9.)  A significant difference compared to
>> =E2=80=98gpg --verify=E2=80=99 is that it doesn=E2=80=99t check whether =
keys are expired or
>> revoked; all that matters is whether the signature is valid and whether
>> the signing key is in the specified keyring.  I think that=E2=80=99s wha=
t we
>> want when checking the signature of a tarball or Git commit.
>
> Great, this is a big improvement. It would be awesome if we could get
> similar support in Git (or find another way to authenticate our code).

Yes, that was partly the motivation for this change.

Pushed as b9e1fddfd8c29b2fa6252ef52a75daa14aaabd3e.

Thanks Mike & Leo for your feedback!

Ludo=E2=80=99.